Beware calls from unknown numbers - this top messaging app has placed millions of iOS and Android users at risk

Researchers have identified a critical vulnerability in popular privacy-centric messaging app Signal, affecting millions of iOS and Android users.

Discovered by security firm Tenable, the bug could allow hackers to gain access to users' coarse location data and map out patterns of movement - such as time-periods during which a user is likely to be at home, work, or their favorite local haunt.

To execute an attack, the hacker need only use Signal to call another user, whose location could be compromised whether or not the call is answered.

The bug was introduced with Signal v4.59.0 on Android, while iOS users of any version since v3.8.0.34 could be at risk.

Signal vulnerability

The Signal messaging app features end-to-end encryption for both calls and text messages, attracting millions of privacy-conscious users every day across Android and iOS. Even infamous whistleblower and champion of data privacy Edward Snowden claims to “use Signal every day.”

However, according to an advisory published by Tenable, the app is not as watertight from a privacy perspective as its users might expect.

The newly discovered flaw can be used to leak information about a user's DNS, which can in turn reveal coarse location data and allow the hacker to identify the victim's location within a 400 mile radius.

While this might appear inconsequential to most, using coarse location data in conjunction with DNS server pings from different networks (domestic Wi-Fi, public hotspots, 4G connections etc.) could be used by the hacker to make more precise location assumptions.

Signal was quick to issue a patch for the vulnerability via GitHub, which Tenable commends in its advisory. However, the security firm believes the patch requires technical expertise beyond the abilities of most users, meaning hackers could abuse the flaw freely until a patch is made available on the Apple App Store and Google Play Store.

In the interim, Tenable recommends Signal users install a VPN service that offers a DNS tunnel, which can hinder an attacker's ability to exploit the flaw.

Signal did not immediately respond to our request for comment.

How It works

Search Crack for

Latest IT News

Jul 16
Google recently ditched an experimental feature that could 'force' dark mode on websites, but it's still available in Edge.
Jul 16
ExpressVPN wants to attract a wider range of white-hat hackers to its bug bounty program.
Jul 16
Follow this guide to find out how to pick the right software for your small business or start-up.
Jul 16
Google recently ditched an experimental feature that could 'force' dark mode on websites, but it's still available in Chrome.
Jul 16
Google has announced a major overhaul of G Suite that will bring email, chats, video calls and more under a single roof.
Jul 15
Chrome 84 stops websites spamming you with notifications, or tricking you into signing up for them.
Jul 15
Atlas VPN adopts a Pay-What-You-Want model to help customers that might be struggling financially.

Latest cracks